---
title: web-server
weight: 60
---
In order to host anything online nowdays, everybody needs a couple of things. The first is a [domain](/notes/self-sufficiency/domain.md), and the second is a web server to handle the different domains/subdomains and the HTTP(S) requests, and deal with the SSL certificates.

Here we will use [`nginx`](https://nginx.org); [`caddy`](https://caddyserver.com) is also an option (so is `apache`, etc) that automates SSL, but before moving to `NixOS` I was using `nginx`, so I am more familiar with the syntax

We will put the following at the root of our own `modules/server/` folder, since it is the aggregation point for all the following services.

## nix decleration

Make a default.nix at `<PATH-TO-NIX-CONFIG>/modules/server`
```sh
$ touch <PATH-TO-NIX-CONFIG>/modules/server/default.nix
```
(or use the file explorer of your choice)

### configuration

Open `default.nix` in any text editor, and copy the following

```nix
{ 
	imports = [
    # ... all the services will go here
	];
	
	services = {
		nginx = {
			enable = true;
	    recommendedGzipSettings = true;
	    recommendedOptimisation = true;
	    recommendedProxySettings = true;
	    recommendedTlsSettings = true;
		};

		sshguard.enable = true;

		openssh = {
		  enable  = true;
		  settings = {
		    PermitRootLogin = false;
		    PasswordAuthentication = false;
		    AllowTcpForwarding = false;
		    X11Forwarding = false;
		  };
		};

	};

	networking = {
		firewall.allowedTCPPorts = [ 80 443 ];
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "<YOUR-EMAIL>";
  }
}
```
and you're done.

Let's break the config file down.

### explanation
1) We declare `nginx` as enabled, and set it to use the recommended options.
2) We enable `sshguard`, which protects hosts from brute-force attacks, among other things.
3) We enable `openssh`, so that we can access the server via SSH, but configure it so that nobody can use a password to log in, and root login is disabled.
4) We open ports `80 (HTTP)` and `443(HTTPS)` to the internet.
5) We set up the `acme` service which fetches SSL certificates from LetsEncrypt. Certificates require to accept the terms and an email for communication, so we accept the terms and provide an email.

{{% hint warning %}}
Before you enable the openssh config as is, make sure you have an `authorizedKey` on your user, otherwise you can be locked out of your machine.
To set an SSH authorized key add this tou your `user` config
```nix
users = {
  users = {
    <YOUR-USER> = {
      # ...
      openssh.authorizedKeys.keys = [
        <YOUR-KEY-1>
        <YOUR-KEY-2>
        # ...
      ]
      # ...
    }
  }
}
```
{{% /hint %}}

{{% hint info %}}
By default nixos sets a daily interval to renew the Let'sEncrypt SSL certificates, so we don't need to worry.
{{% /hint %}}

Now we can start adding services.